Revision f9c9899b
Added by Viktor Gurov over 5 years ago
| src/etc/inc/ipsec.inc | ||
|---|---|---|
| 1341 | 1341 |
$ssconf[] = "# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten."; |
| 1342 | 1342 |
$ssconf['starter'] = array(); |
| 1343 | 1343 |
$ssconf['starter']['load_warning'] = "no"; |
| 1344 |
$ssconf['starter']['config_file'] = "{$g['varetc_path']}/ipsec/ipsec.conf";
|
|
| 1345 | 1344 |
|
| 1346 | 1345 |
$ssconf['charon'] = array(); |
| 1347 | 1346 |
$ssconf['charon'][] = '# number of worker threads in charon'; |
| ... | ... | |
| 1419 | 1418 |
/* Generate an eap-radius config section if appropriate */ |
| 1420 | 1419 |
if (count($radius_servers) && ($mobile_ipsec_auth === "eap-radius")) {
|
| 1421 | 1420 |
$ssconf['charon']['plugins']['eap-radius'] = array(); |
| 1421 |
$ssconf['charon']['plugins']['eap-radius']['load'] = "2"; |
|
| 1422 | 1422 |
$ssconf['charon']['plugins']['eap-radius']['class_group'] = "yes"; |
| 1423 | 1423 |
$ssconf['charon']['plugins']['eap-radius']['eap_start'] = "no"; |
| 1424 | 1424 |
/* Activate RADIUS accounting only if it was selected on the IPsec Mobile Clients tab */ |
| ... | ... | |
| 1461 | 1461 |
if (!is_array($a_client) || !isset($a_client['enable'])) {
|
| 1462 | 1462 |
return; |
| 1463 | 1463 |
} |
| 1464 |
if (($mobile_ipsec_auth == "eap-radius") && empty($a_client['pool_address']) && |
|
| 1465 |
empty($a_client['pool_address_v6'])) {
|
|
| 1466 |
return; |
|
| 1467 |
} |
|
| 1464 | 1468 |
$scconf['pools']['mobile-pool'] = array(); |
| 1465 | 1469 |
|
| 1466 | 1470 |
$pool_addrs = array(); |
| ... | ... | |
| 1470 | 1474 |
if (!empty($a_client['pool_address_v6'])) {
|
| 1471 | 1475 |
$pool_addrs[] = "{$a_client['pool_address_v6']}/{$a_client['pool_netbits_v6']}";
|
| 1472 | 1476 |
} |
| 1473 |
if ($mobile_ipsec_auth == "eap-radius" && !count($pool_addrs)) {
|
|
| 1474 |
$pool_addrs[] = "%radius"; |
|
| 1475 |
} |
|
| 1476 | 1477 |
if (count($pool_addrs)) {
|
| 1477 | 1478 |
$scconf['pools']['mobile-pool']['addrs'] = implode(',', $pool_addrs);
|
| 1478 | 1479 |
} |
| ... | ... | |
| 2263 | 2264 |
$conn['remote_addrs'] = $remote_spec; |
| 2264 | 2265 |
|
| 2265 | 2266 |
if (isset($ph1ent['mobile'])) {
|
| 2266 |
$conn['pools'] = "mobile-pool"; |
|
| 2267 |
if (($ph1ent['authentication_method'] == 'eap-radius') && |
|
| 2268 |
empty($a_client['pool_address']) && empty($a_client['pool_address_v6'])) {
|
|
| 2269 |
$conn['pools'] = "radius"; |
|
| 2270 |
} else {
|
|
| 2271 |
$conn['pools'] = "mobile-pool"; |
|
| 2272 |
if (isset($a_client['radius_ip_priority_enable'])) {
|
|
| 2273 |
$conn['pools'] .= ", radius"; |
|
| 2274 |
} |
|
| 2275 |
} |
|
| 2267 | 2276 |
} |
| 2268 | 2277 |
|
| 2269 | 2278 |
/* For IKEv2 without Split Connections, setup combined sets of |
| src/usr/local/www/vpn_ipsec_mobile.php | ||
|---|---|---|
| 69 | 69 |
$pconfig['wins_server2'] = $a_client['wins_server2']; |
| 70 | 70 |
$pconfig['pfs_group'] = $a_client['pfs_group']; |
| 71 | 71 |
$pconfig['login_banner'] = $a_client['login_banner']; |
| 72 |
|
|
| 72 |
$pconfig['radius_ip_priority_enable'] = $a_client['radius_ip_priority_enable']; |
|
| 73 |
|
|
| 73 | 74 |
if (isset($pconfig['enable'])) {
|
| 74 | 75 |
$pconfig['enable'] = true; |
| 75 | 76 |
} |
| 76 | 77 |
|
| 77 |
if ($pconfig['pool_address']&&$pconfig['pool_netbits']) {
|
|
| 78 |
if ($pconfig['pool_address'] && $pconfig['pool_netbits']) {
|
|
| 78 | 79 |
$pconfig['pool_enable'] = true; |
| 79 | 80 |
} else {
|
| 80 | 81 |
$pconfig['pool_netbits'] = 24; |
| 81 | 82 |
} |
| 82 | 83 |
|
| 83 |
if ($pconfig['pool_address_v6']&&$pconfig['pool_netbits_v6']) {
|
|
| 84 |
if (isset($pconfig['radius_ip_priority_enable'])) {
|
|
| 85 |
$pconfig['radius_ip_priority_enable'] = true; |
|
| 86 |
} |
|
| 87 |
|
|
| 88 |
if ($pconfig['pool_address_v6'] && $pconfig['pool_netbits_v6']) {
|
|
| 84 | 89 |
$pconfig['pool_enable_v6'] = true; |
| 85 | 90 |
} else {
|
| 86 | 91 |
$pconfig['pool_netbits_v6'] = 120; |
| ... | ... | |
| 102 | 107 |
$pconfig['dns_split_enable'] = true; |
| 103 | 108 |
} |
| 104 | 109 |
|
| 105 |
if ($pconfig['dns_server1']||$pconfig['dns_server2']||$pconfig['dns_server3']||$pconfig['dns_server4']) {
|
|
| 110 |
if ($pconfig['dns_server1'] || $pconfig['dns_server2'] || $pconfig['dns_server3'] || $pconfig['dns_server4']) {
|
|
| 106 | 111 |
$pconfig['dns_server_enable'] = true; |
| 107 | 112 |
} |
| 108 | 113 |
|
| 109 |
if ($pconfig['wins_server1']||$pconfig['wins_server2']) {
|
|
| 114 |
if ($pconfig['wins_server1'] || $pconfig['wins_server2']) {
|
|
| 110 | 115 |
$pconfig['wins_server_enable'] = true; |
| 111 | 116 |
} |
| 112 | 117 |
|
| ... | ... | |
| 231 | 236 |
} |
| 232 | 237 |
} |
| 233 | 238 |
|
| 239 |
if ($pconfig['radius_ip_priority_enable']) {
|
|
| 240 |
if (!(isset($mobileph1) && ($mobileph1['authentication_method'] == 'eap-radius'))) {
|
|
| 241 |
$input_errors[] = gettext("RADIUS IP may only take prioriy when using EAP-RADIUS for authentication on the Mobile IPsec VPN.");
|
|
| 242 |
} |
|
| 243 |
} |
|
| 244 |
|
|
| 234 | 245 |
if (!$input_errors) {
|
| 235 | 246 |
$client = array(); |
| 236 | 247 |
|
| ... | ... | |
| 252 | 263 |
$client['pool_netbits'] = $pconfig['pool_netbits']; |
| 253 | 264 |
} |
| 254 | 265 |
|
| 266 |
if ($pconfig['radius_ip_priority_enable']) {
|
|
| 267 |
$client['radius_ip_priority_enable'] = true; |
|
| 268 |
} |
|
| 269 |
|
|
| 255 | 270 |
if ($pconfig['pool_enable_v6']) {
|
| 256 | 271 |
$client['pool_address_v6'] = $pconfig['pool_address_v6']; |
| 257 | 272 |
$client['pool_netbits_v6'] = $pconfig['pool_netbits_v6']; |
| ... | ... | |
| 516 | 531 |
|
| 517 | 532 |
$section->add($group); |
| 518 | 533 |
|
| 534 |
$section->addInput(new Form_Checkbox( |
|
| 535 |
'radius_ip_priority_enable', |
|
| 536 |
'RADIUS IP address priority', |
|
| 537 |
'IPv4 address pool is used if IP is not supplied by RADIUS server', |
|
| 538 |
$pconfig['radius_ip_priority_enable'] |
|
| 539 |
)); |
|
| 540 |
|
|
| 519 | 541 |
$section->addInput(new Form_Checkbox( |
| 520 | 542 |
'pool_enable_v6', |
| 521 | 543 |
'Virtual IPv6 Address Pool', |
Also available in: Unified diff
Accomodate both RADIUS and pool IP addresses in IPsec. Issue #8160